Geeklog 1.8.2sr1 and 2.0.0rc2 security updates

Welcome to Geeklog Saturday, May 25 2013 @ 04:38 PM EDT

Geeklog 1.8.2sr1 and 2.0.0rc2

Wednesday, February 20 2013 @ 05:40 AM EST
Contributed by:

Dirk
Views:

2,657

We have received two reports about security issues that affect Geeklog in both current versions, i.e. 1.8.2 and 2.0.0 (which is not officially out yet, but in release candidate state):

High-Tech Bridge Security Research Lab reported an XSS in the calendar_type parameter in the Calendar plugin.
Trustwave Spiderlabs reported XSS in the install script, the Configuration, as well as in the Admin interfaces for the Polls plugin and the Topic editor.

To address these issues, we are releasing Geeklog 1.8.2sr1 (complete archive; also available as an update from 1.8.2) and Geeklog 2.0.0rc2.

In addition to the security fixes, Geeklog 1.8.2sr1 also fixes a problem with the Twitter OAuth login. Geeklog 2.0.0rc2 includes further (non-security) bugfixes for this major update.

While the reported security issues are not easy to exploit (due to other security measures in Geeklog), we strongly suggest that you install these updates as soon as possible. Also, be careful when clicking on external links while being logged in as an Admin user - especially when you are unexpectedly prompted for your password.

Trackback

Trackback URL for this entry:: http://www.geeklog.net/trackback.php/geeklog-1.8.2sr1

No trackback comments for this entry.

Geeklog 1.8.2sr1 and 2.0.0rc2
8 comments
Create New Account

The following comments are owned by whomever posted them. This site is not responsible for what they say.

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:LWC on Wednesday, February 20 2013 @ 12:55 PM EST

Can you post a Geeklog 1.8.1 to 1.8.2sr1 Upgrade file?

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:Laugh on Wednesday, February 20 2013 @ 01:16 PM EST

If Dirk doesn't I will on the weekend.

Tom

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:Laugh on Friday, February 22 2013 @ 10:13 AM EST

It looks like Dirk got to it first. Use this first:

Geeklog 1.8.1 to 1.8.2 Upgrade

and then:

Security Update for Geeklog 1.8.2

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:LWC on Saturday, February 23 2013 @ 05:05 AM EST

My request was for you to combine it into Geeklog 1.8.1 to 1.8.2sr1 Upgrade.

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:LWC on Saturday, February 23 2013 @ 05:07 AM EST

I definitely posted this comment in the right place. Looks like it's a bug that was posted as a brand new comment.

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:Dirk on Saturday, February 23 2013 @ 06:00 AM EST

Why? We have never provided such upgrades in the past. In fact, the 1.8.2 upgrade package that Tom provided was already an exception - we only provide such "diff" upgrades for security issues. Is it really that much work for you to download and install two such files?

I'm all for making updates as easy as possible, but please consider that it's a lot of work for us to provide all these extra archives. And where will it stop? Someone is surely going to ask for a "diff" archive from 1.8.0 next ...

Geeklog 1.8.2sr1 and 2.0.0rc2
Authored by:LWC on Sunday, February 24 2013 @ 12:47 PM EST

I'd say it should stop one version before the latest. No more, no less.

It's needed because some of us use custom files. This requires re-customization every time a new version comes out. In this case it means double re-customization.

Geeklog 2.0.0rc2 Bug Fix
Authored by:Laugh on Friday, February 22 2013 @ 10:08 AM EST

There is a small bug in Geeklog 2.0.0rc2 that creates double lines in articles that use plain text mode. To fix please replace the COM_nl2br funtion in lib-common.php with:

function COM_nl2br($string)
{
if (! defined('XHTML')) {
define('XHTML', '');
}

$replace = '<br' . XHTML . '>';
$find = array("\r\n", "\n\r", "\r", "\n");
return str_replace($find, $replace, $string);
}

Resources

Getting started

Support

Development

Topics

User Functions

Events

What's New

Stories

Comments last 2 weeks

Trackbacks last 2 weeks

Links last 2 weeks

NEW FILES last 14 days